Cisco Catalyst 2960-XR Security Configuration Manual page 145
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
Configuring IPv4 ACLs
Command or Action
Step 3
access-list access-list-number {deny | permit}
tcp source source-wildcard [operator port]
destination destination-wildcard [operator
port] [established] [precedence precedence]
[tos tos] [fragments] [log [log-input] ]
[time-range time-range-name] [dscp dscp]
[flag]
Example:
Switch(config)# access-list 101 permit
tcp any any eq 500
OL-29434-01
Purpose
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard can be
specified as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any for 0.0.0.0 255.255.255.255 (any host).
• The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
• precedence—Enter to match packets with a precedence level specified
as a number from 0 to 7 or by name: routine (0), priority (1),
immediate (2), flash (3), flash-override (4), critical (5), internet (6),
network (7).
• fragments—Enter to check non-initial fragments.
• tos—Enter to match by type of service level, specified by a number
from 0 to 15 or a name: normal (0), max-reliability (2),
max-throughput (4), min-delay (8).
• log—Enter to create an informational logging message to be sent to the
console about the packet that matches the entry or log-input to include
the input interface in the log entry.
• time-range—Specify the time-range name.
• dscp—Enter to match packets with the DSCP value specified by a
number from 0 to 63, or use the question mark (?) to see a list of
available values.
If you enter a dscp value, you cannot enter tos or precedence. You
Note
can enter both a tos and a precedence value with no dscp.
Defines an extended TCP access list and the access conditions.
The parameters are the same as those described for an extended IPv4 ACL,
with these exceptions:
(Optional) Enter an operator and port to compare source (if positioned after
source source-wildcard) or destination (if positioned after destination
destination-wildcard) port. Possible operators include eq (equal), gt (greater
than), lt (less than), neq (not equal), and range (inclusive range). Operators
require a port number (range requires two port numbers separated by a space).
Enter the port number as a decimal number (from 0 to 65535) or the name
of a TCP port.
The other optional keywords have these meanings:
• established—Enter to match an established connection. This has the
same function as matching on the ack or rst flag.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
Creating a Numbered Extended ACL
123
Advertisement
Table of Contents
